New QuestionsWhich two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.)

A. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution.B. The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default.C. A Cisco ASA with an AnyConnect Premium Peers license can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions.D. Content rewriter functionality in the Clientless SSL VPN portal is not supported on Apple mobile devices.E. Clientless SSLVPN provides Layer 3 connectivity into the secured network.

Answer: CD

New QuestionsA network engineer must configure a now VPN tunnel Utilizing IKEv2 For with three reasons would a configuration use IKEv2 instead d KEv1? (Choose three.)

New QuestionsA network engineer is troubleshooting a site VPN tunnel configured on a Cisco ASA and wants to validate that the tunnel is sending and receiving traffic. Which command accomplishes this task?

New QuestionsAn engineer has integrated a new DMVPN to link remote offices across the internet using Cisco IOS routers. When connecting to remote sites, pings and voice data appear to flow properly and all tunnel stats seem to show that are up. However, when trying to connect to a remote server using RDP, the connection fails. Which action resolves this issue?

Answer: BExplanation:Answers A and C do not make sense.Answer D is valid only for split tunneling…if we want to pass the RDP traffic off tunnel. The ACL configured to establish the DMVPN tunnel only need udp 500/4500 and esp (50).Answer B should be correct because voice traffic (UDP) and ping use smaller MTU size and will not be fragmented…and thus will work. RDP uses TCP / 3389 and isn’t fault tolerant.

New QuestionsAn engineer has configured Cisco AnyConnect VPN using IKEv2 on a Cisco ISO router. The user cannot connect in the Cisco AnyConnect client, but receives an alert message “Use a browser to gain access.” Which action does the engineer take to eliminate this issue?

New QuestionsRefer to the exhibit. A network administrator is running DMVPN with EIGRP, when the administrator looks at the routing table on spoken 1 it displays a route to the hub only. Which command is missing on the hub router, which includes spoke 2 and spoke 3 in the spoke 1 routing table?

New QuestionsWhich algorithm provides both encryption and authentication for plane communication?

A. RC4B. SHA-384C. AES-256D. SHA-96E. 3DESF. AES-GCM

Answer: F

New QuestionsRefer to the exhibit. Client 1 cannot communication with Client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

A. When you implement GET VPN with VRFs, all VHFs must be defined in the GDOI group configuration on the key server.B. T ne pseudotime that is used for replay checking is synchronized via NTP.C. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.D. TEK rekesys can be load-balanced between two key servers operating in COOP.E. The configuration that defines which traffic to encrypt is present only on the key server.

Answer: E

New QuestionsWhich two statements comparing ECC and RSA are true? (Choose two.)

A. Key generation in FCC is slower and more CPU intensive than RSA.B. ECC can have the same security as RSA but with a shorter key sizeC. Key generation in ECC is faster and less CPU intensive than RSA.D. ECC cannot have the same security as RSA. even with an increased key size.E. ECC lags m performance when compared with RSA.

Answer: BC

New QuestionsWhich three types of SSO functionality are available on the Cisco ASA without any external SSO servers? (Choose three.)

A. Smart tunnels are enabled on the secure gateway (Cisco ASA) for specific applications that run on the end client and work irrespective of which transport protocol the application uses.B. Smart tunnels require Administrative privileges to run on the client machine.C. A smart tunnel is a DLL that is pushed from the headend to the client machine after SSL VPN portal authentication and that is attached to smart-tunneled processes to route traffic through the SSL VPN session with the gateway.D. Smart tunnels offer better performance than the client-server plugins.E. Smart tunnels are supported on Windows, Mac, and Linux.

Answer: CD

New QuestionsAs network security architect, you must implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity.Which technology should you use?

A. IPsec DVTIB. FlexVPNC. DMVPND. IPsec SVTIE. GET VPN

Answer: E

New QuestionsWhich three configurations are required for both IPsec VTI and crypto map-based VPNs? (Choose three.)

A. MD5 produces a 64-bit message digest.B. SHA-1 produces a 160-bit message digest.C. MD5 takes more CPU cycles to compute than SHA-1.D. Changing 1 bit of the input to SHA-1 can change up to 5 bits in the output.

Answer: B

New QuestionsRefer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?

A. PSKB. Phase 1 policyC. transform setD. crypto access list

Answer: A

New QuestionsWhich three changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose three.)

A. Enable EIGRP next-hop-self on the hub.B. Disable EIGRP next-hop-self on the hub.C. Enable EIGRP split-horizon on the hub.D. Add NHRP redirects on the hub.E. Add NHRP shortcuts on the spoke.F. Add NHRP shortcuts on the hub.

Answer: BDE

New QuestionsWhich algorithm provides both encryption and authentication for data plane communication?

A. SHA-96B. SHA-384C. 3DESD. AES-256E. AES-GCMF. RC4

Answer: E

New QuestionsWhich three configurations are prerequisites for stateful failover for IPsec? (Choose three.)

A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device; the IPsec configuration is copied automatically.B. Only crypto map configuration that is set up on the active device must be duplicated on the standby device.C. The IPsec configuration that is set up on the active device must be duplicated on the standby device.D. The active and standby devices can run different versions of the Cisco IOS software but need to be the same type of device.E. The active and standby devices must run the same version of the Cisco IOS software and should be the same type of device.F. Only the IPsec configuration that is set up on the active device must be duplicated on the standby device; the IKE configuration is copied automatically.G. The IKE configuration that is set up on the active device must be duplicated on the standby device.

Answer: CEG

New QuestionsWhich two statements comparing ECC and RSA are true? (Choose two.)

A. ECC can have the same security as RSA but with a shorter key size.B. ECC lags in performance when compared with RSA.C. Key generation in ECC is slower and less CPU intensive than RSA..D. ECC cannot have the same security as RSA, even with an increased key size.E. Key generation in ECC is faster and less CPU intensive.

Answer: AE

New QuestionsWhich two are features of GETVPN but not DMVPN and FlexVPN? (Choose two.)

A. one IPsec SA for all encrypted trafficB. no requirement for an overlay routing protocolC. design for use over public or private WAND. sequence numbers that enable scalable replay checkingE. enabled use of ESP or AHF. preservation of IP protocol in outer header